You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 
inwardvessel 4190918472
Change pipe to eventfd in ChildProc (#1715)
1 day ago
.github New tests for listing and AttachPointParser 3 weeks ago
cmake Detect 7 arg bpf_attach_uprobe() API 4 months ago
docker Add ALLOW_UNSAFE_PROBE option for docker build 1 month ago
docs Add section on BTF types to Reference Guide 3 weeks ago
images update image and add source 2 years ago
man Remove the --btf option 3 weeks ago
resources clang_parser: workaround for asm_inline in 5.4+ kernel headers 1 year ago
scripts Check for kprobe dependencies 2 months ago
snap snapcraft: limit version string to 32 characters 10 months ago
src Change pipe to eventfd in ChildProc (#1715) 1 day ago
tests bpftrace: Fix build error 2 weeks ago
tools syscount.bt: Fix small typo in explanatory comment 3 weeks ago
.clang-format Non-invasive formatting of src/*.h 1 year ago
.editorconfig Add basic editorconfig for defining style (#775) 1 year ago
.gitattributes Highlight bpftrace source files 1 year ago
.gitignore codegen: avoid accidental checking of LLVM bytecode 7 months ago
.lgtm.yml Add LGTM security analyzer 10 months ago
CHANGELOG.md add mips64 reg 1 week ago
CMakeLists.txt Move LibBpf detection before bcc symbols check 1 month ago
CONTRIBUTING-TOOLS.md fix typos 2 years ago
INSTALL.md Update kernel options list to support kprobes 2 months ago
LICENSE Relicense under Apache 2.0 2 years ago
README.md Change discourse link to discussions page 3 weeks ago
Vagrantfile vagrant: update ubuntu box 2 days ago
build-debug.sh Use host network when building docker image 1 year ago
build-docker-image.sh Use host network when building docker image 1 year ago
build-release.sh Add ALLOW_UNSAFE_PROBE option for docker build 1 month ago
build.sh Split Docker build process into separate shell script files 3 years ago

README.md

bpftrace

Build Status IRC #bpftrace Total alerts

bpftrace is a high-level tracing language for Linux enhanced Berkeley Packet Filter (eBPF) available in recent Linux kernels (4.x). bpftrace uses LLVM as a backend to compile scripts to BPF-bytecode and makes use of BCC for interacting with the Linux BPF system, as well as existing Linux tracing capabilities: kernel dynamic tracing (kprobes), user-level dynamic tracing (uprobes), and tracepoints. The bpftrace language is inspired by awk and C, and predecessor tracers such as DTrace and SystemTap. bpftrace was created by Alastair Robertson.

To learn more about bpftrace, see the Reference Guide and One-Liner Tutorial.

One-Liners

The following one-liners demonstrate different capabilities:

# Files opened by process
bpftrace -e 'tracepoint:syscalls:sys_enter_open { printf("%s %s\n", comm, str(args->filename)); }'

# Syscall count by program
bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @[comm] = count(); }'

# Read bytes by process:
bpftrace -e 'tracepoint:syscalls:sys_exit_read /args->ret/ { @[comm] = sum(args->ret); }'

# Read size distribution by process:
bpftrace -e 'tracepoint:syscalls:sys_exit_read { @[comm] = hist(args->ret); }'

# Show per-second syscall rates:
bpftrace -e 'tracepoint:raw_syscalls:sys_enter { @ = count(); } interval:s:1 { print(@); clear(@); }'

# Trace disk size by process
bpftrace -e 'tracepoint:block:block_rq_issue { printf("%d %s %d\n", pid, comm, args->bytes); }'

# Count page faults by process
bpftrace -e 'software:faults:1 { @[comm] = count(); }'

# Count LLC cache misses by process name and PID (uses PMCs):
bpftrace -e 'hardware:cache-misses:1000000 { @[comm, pid] = count(); }'

# Profile user-level stacks at 99 Hertz, for PID 189:
bpftrace -e 'profile:hz:99 /pid == 189/ { @[ustack] = count(); }'

# Files opened, for processes in the root cgroup-v2
bpftrace -e 'tracepoint:syscalls:sys_enter_openat /cgroup == cgroupid("/sys/fs/cgroup/unified/mycg")/ { printf("%s\n", str(args->filename)); }'

More powerful scripts can easily be constructed. See Tools for examples.

Install

For build and install instructions, see INSTALL.md.

Tools

bpftrace contains various tools, which also serve as examples of programming in the bpftrace language.

For more eBPF observability tools, see bcc tools.

Probe types

See the Reference Guide for more detail.

Support

For additional help / discussion, please use our discussions page.

Contributing

Development

For development and testing a Vagrantfile is available.

Make sure you have the vbguest plugin installed, it is required to correctly install the shared file system driver on the ubuntu boxes:

$ vagrant plugin install vagrant-vbguest

Start VM:

$ vagrant status
$ vagrant up $YOUR_CHOICE
$ vagrant ssh $YOUR_CHOICE

License

Copyright 2019 Alastair Robertson

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.